Outbound Data Loss Prevention (DLP)
Outbound Data Loss Prevention ensures the protection of sensitive information in outbound emails with Cloudflare Data Loss Prevention (DLP). Outbound Data Loss Prevention integrates with your inbox, and it proactively monitors your email to prevent unauthorized data leaks.
To enable Outbound DLP:
An outbound policy allows you to control outbound email flow.
To create an outbound DLP policy:
- 
In Zero Trust ↗, go to Email Security > Outbound DLP. 
- 
Select Add a policy. 
- 
Name your policy. 
- 
Build an expression to match specific email traffic. For example, you can create a policy that blocks outbound emails containing identifying numbers: Selector Operator Value Logic Action Recipient email not in example.comAnd Block Matched DLP profile in Social Security, Insurance, Tax, and Identifier Numbers 
- 
(Optional) Choose whether to use the default block message or a custom message. 
- 
Select Create policy. 
After creating your policy, you can modify or reorder your policies in Email Security > Outbound DLP.
| Selector | Description | 
|---|---|
| Recipient email | The intended recipient of an outbound email. | 
| Email sender | The user in your organization sending an email. | 
| Matched DLP profile | The DLP profile that content of an email matches upon scan. | 
The Data Loss Prevention (DLP) Assist add-in allows Microsoft O365 users to deploy a DLP solution for free using Cloudflare's Email Security.
To set up DLP Assist add-in:
- In Zero Trust ↗, go to Email Security > Outbound DLP.
- Select View Microsoft add-in instructions > Select Download add-in. This downloads a .xmlfile necessary to install the add-in on the client side.
- Set up the add-in in Microsoft 365:
- Log in to the Microsoft admin panel ↗ and go to Microsoft 365 Admin Center > Settings > Integrated Apps.
- Choose Upload custom apps and select Office Add-in for the application type.
- Select Upload manifest file (.xml) from device.
- Upload the Cloudflare add-in file you downloaded in step three. Then, verify and complete the wizard. It can take up to 24 hours for an add-in to propagate.
 
The add-in works by inserting headers into the EML ↗ on the client side before the message is sent out.
To block, encrypt, or send approval, you can configure rules within Microsoft Purview DLP:
- Go to Microsoft Purview ↗.
- Select Policies > Create policy.
- Do not choose any templates or custom policy. Select Next.
- Choose a name and description for the policy: You can choose any name. However, this guide will use Cloudflare Assist Block.
- Select Next on Admin Units:
- Choose to only apply to Exchange Email.
- Choose Create or customize advanced DLP Rules.
 
- Select Create rule:
- Create a policy name.
- Add the following conditions:
- Header contains words or phrases: Key: cf_outbound_dlp with Value: BLOCK
- Select AND.
- Content is shared from Microsoft 365: Select with people from outside my organization.
 
- Header contains words or phrases: 
 
- Under Actions, the admin can choose what to do with the message. You can use the Restrict access or encrypt the content in Microsoft 365 locations to block the message or encrypt it.
- Under User notifications, turn on notifications. Admins can also edit the message if they want to. You can also configure if the admin wants to receive a notification under Incident reports > Use this severity level in admin alerts and reports.
- Select Save.
- Select Turn the Policy On Immediately.
Was this helpful?
- Resources
- API
- New to Cloudflare?
- Products
- Sponsorships
- Open Source
- Support
- Help Center
- System Status
- Compliance
- GDPR
- Company
- cloudflare.com
- Our team
- Careers
- 2025 Cloudflare, Inc.
- Privacy Policy
- Terms of Use
- Report Security Issues
- Trademark